Do it yourself ‘on the back of a fag packet’ (or in a spreadsheet)
Undoubtedly some businesses can take an informal approach to the problem. Small businesses may not have a substantial number of suppliers. They may outsource all their core ‘IT’ to Microsoft 365 or Google Suite, and add a few cloud services for customer relationship management and business accounts. There is little merit in over-engineering the solution. If you really have only a few suppliers, and they are delivering mass-market commodity services, then you may well be able to handle the problem in house.
This solution may sound attractive, but the risks remain existential, and I would offer a few words of caution before it is applied:
- It is vital to have a properly prepared questionnaire that is sent to suppliers so that they provide the information you need to assess their risk in a standard fashion. You also need the skills to be able to interpret the responses that suppliers provide and make an assessment of the risks. The output needs to be relevant to the business decisions, so should be action oriented.
- Many suppliers are now reluctant to respond to these spreadsheet-based questionnaires because they are uncontrolled once they have returned them and therefore there is greater risk that they fall into the wrong hands with all the sensitive information they hold.
- Do not underestimate the volume of suppliers you need to assess. The amount you spend on a supplier or its size (or even the solution they provide) is not necessarily a good indicator of the risk they pose. It may be that the supplier of paper clips is not a security priority but a lot of ‘non-technical’ suppliers handle large volumes of sensitive data and therefore pose a considerable risk.
- You should also assess any supplier where you are installing or integrating their technology onto your systems because of the potential for systemic risk.
- Finally, it is important to assess any supplier who is delivering web content or internet facing systems that are visible to your customers or the public.
If you decide the burden is too great you might consider outsourcing it to a consultancy.
But, if they are going to do the same thing you would do in-house then the disadvantages remain, but at extra cost. Ask the consultancies what tooling and analytics they apply, and how this helps their clients.
Do Third Party Risk Management ‘in house’ with existing systems.
Many organisations already have Governance, Risk & Compliance (GRC) or other risk management systems in place to address other categories of risk. Usually, internal policies and processes will be in place. Using an existing system may seem easier to aggregate Third Party Risks into the overarching corporate view of risks.
But this may not be such an attractive option as it appeared at first sight. The aim is not to populate a risk matrix, but to reduce risk to a level that is tolerable. Factors to consider are:
- To do an effective action-oriented assessment of risk you need to collect a lot of information from the suppliers, confirm it and then analyse it to develop an action plan:
- Do the existing tools enable this to be collected efficiently?
- Can suppliers interact directly, or will you need your own staff to transfer data from one system to another?
- How will you validate suppliers' responses through richer, hard-to-fabricate documentation, third party evidence and/or open-source intelligence?
- Can the existing GRC platform provide any help with the analysis?
- Risk remediation is a team sport. You are only likely to make an impact on the risks if all relevant stakeholders can collaborate, while referring to a common view of the situation, the concerns, and the required actions:
- Do all your relevant internal stakeholders have access to your current platform?
- Does the platform provide an effortless way of collaborating, whilst enforcing the principle of ‘need to know’ on the sensitive information?
- How can you involve and collaborate with the suppliers themselves?
Very few GRC tools are intended to be accessible to third parties in this way.
Do TPRM ‘in house’ with optimised tools
If you have the skills, but either do not have an existing GRC tool or believe its disadvantages are greater than its benefits then you may look for a toolset that is optimised for the task in hand. The sections above give an idea of the features and requirements that deliver value. Certainly, you want something that can efficiently collect, enrich, validate and analyse the information to conduct risk identification. You need to drill into those risks to reveal the underlying issues, or findings, that are aggravating them. And those findings should be able to capture recommendations to remediate them.
But the aspect that we feel is most often overlooked is a secure collaboration environment that enables all relevant stakeholders, both internal and external, to come together with the common goal of reducing risk for mutual benefit.
Also, do you have the resources and skills in house to be able to do this on an ongoing basis? Chasing suppliers for information, interpreting information from diverse sources, often conflicting, can be a specialist task. The tooling may help, but there is still a burden, and you need to ensure once all the assessments have been completed that you still have sufficient resource in place to work on the remediation.
Outsource Your Third-Party Risk Management to a specialist Service Provider
The final solution that we see is similar to the previous ‘in house’ option using optimised tools, but passes the task of collecting, validating, analysing the information, and developing the assessments and recommendations to a specialist service provider. This is different from asking a consultancy to send out spreadsheets. The service provider should have leading edge tools that drive efficiency, accuracy, and consistency. Efficiency means you will be able to get conclusions on suppliers faster, hopefully in time to influence procurements. Accuracy is understood, but evidence-based consistency of the conclusions from one supplier to another is just as important. And the tools should extend into your business, helping your stakeholders quickly understand risks, prioritise actions, collaborate with stakeholders, and track remediations.
In summary, these are the key four options that we see, but there are undoubtedly others as well. Whatever you do, ask yourself these key questions before you invest in your preferred one:
- Will it enable us to understand, with confidence, where risk is concentrated and how much effort will be involved?
- Will it enable us to identify what specific actions need to be taken to reduce risk to within our Risk Appetite?
- Will it enable us to execute those actions, and maintain an audit trail of the decisions and the remediations?
C2 Cyber are experts in cyber security and vendor risk management. To find out how to secure your supply chain and enable it to operate safely, call us today on +44 (0) 20 7965 7597 or book an appointment with a team member.
Read more articles on Third Party Risk Management